Into the Breach

For many years, data breaches were a subject discussed only within the IT industry. But as the sophistication of these attacks has grown and the costs associated with them has mounted, that has become a luxury no one can afford.

By 2012, with data breaches becoming such a common occurrence that they seemed all but inevitable, FBI Director Robert Mueller told an information security conference, “I am convinced that there are only two types of companies: those that have been hacked and those that will be. And even they are converging into one category: companies that have been hacked and will be hacked again.”

With ever-evolving hacker sophistication, the philosophy for defending against data breaches has shifted.

Where IT security professionals might once have tried to erect impermeable walls around their systems, the emphasis is now on proper and timely detection and response to inevitable breaches.

Meanwhile, the prime targets are also changing. Major repositories of valuable commercial secrets—university labs, regulatory agencies, and corporate law firms—are increasingly being targeted by hackers intent on stealing clients’ secrets involving intellectual property or mergers and acquisitions. Government investigators believe, for instance, that the prominent M&A firms Cravath, Swaine & Moore and Weil, Gotshal & Manges were hacked for information that could be used for inside trading.

Wake-up Call

In the last few years, the scale of these breaches—and the consequent damage they can do to consumers’ privacy—has begun capturing wider attention.

A 2014 data breach at Home Depot potentially compromised the private information of 56 million individuals. Others followed at Chase bank (76 million), Anthem Blue Cross (as many as 80 million), and Target (110 million). The granddaddy was a breach of Yahoo’s system, which involved 1.5 billion user accounts.

The case involving the global law firm DLA Piper, which was attacked by ransomware in 2017 that all but shut down the firm for days, got everyone’s attention in the legal arena, says Sharon Nelson, an attorney who specializes in IT threat mitigation through her Virginia-based firm Sensei Enterprises.

“The DLA Piper leak was a showstopper for firms of all sizes. What we keep hearing is, ‘If it could happen to DLA Piper, what hope do any of us have when it comes to protecting client data?’”

What Not to Do

Given the ubiquity of the problem in recent years, endless suggestions have issued forth about what organizations should do in the wake of a data breach. So instead, we asked an expert for a quick rundown on some pitfalls you should avoid after an IT incursion. Here is Sharon Nelson’s list:

•Failing to notify the regional FBI office (some firms just call their local police departments).•Failing to notify clients who may have been impacted in a timely manner.•Failing to follow their state data breach notification law (many hide behind the “no one can ascertain for sure what data was compromised” argument).•Moving too quickly to announce a breach, especially where there is no response plan in place and no facts have yet been gathered by digital forensics. Never let public statements outrun provable facts.•Using IT generalist staff to conduct breach investigations rather than experts. •Moving too slowly to announce the breach. It will look like concealment and have a bad PR response when and if the breach becomes public.•Discussing the breach on social media. A carefully crafted statement on the website is a better idea.•Failing to instruct employees on how to handle questions about the breach.

You’ll Need a Plan

The foundation of any organization’s effective data breach strategy should be having a solid incident response plan in place.

These IRPs would typically include such components as having a data breach lawyer and a digital forensic consultant lined up ahead of time and having internal IT systems logs and insurance coverage in place to cover such an eventuality, as well as a plan for containment of and recovery from the breach.

Even in the face of the mounting evidence that it’s disastrous to ignore proper IT security, many organizations continue to drag their feet.

Sometimes they’re forced to act by clients, who insist on security audits of their operations before doing business. “Client security audits have proliferated,” says Sharon Nelson. “This train is moving even faster than the adoption of incident response plans.”

Law Firms as Juicy Targets for Hacking

IF robbers target banks simply because that’s where the money is, sophisticated hackers often find law firms as an inviting target for similar reasons: they’re repositories of valuable information.

In 2009, the Federal Bureau of Investigation warned American law firms that they were being specifically targeted by hackers intent on breaching their computer security. Two years later, the bureau organized an educational meeting with the managing partners of top law firms, paying special attention to firms with offices in Russia or China.

If law firms needed that warning then, either about state-sponsored players or hackers with fewer resources, the threat is hardly news to them today.

After all, two-thirds of U.S. law firms were breached in 2016, and 18 firms reported losing a client after failing an IT security audit, according to one survey.1

An American Bar Association study2 found that 40 percent of firms that suffered a data breach in 2016 reported significant downtime and loss of billable hours.

The list of firms that have suffered breaches reads like a who’s who of marquee names. The Chicago-based firm Johnson & Bell was hit with a class action suit in late 2016 over its alleged failure to protect client information. The irony of the DLA Piper breach is that the firm promoted itself as a specialist in cybersecurity.

The Panama Papers case, which involved the leaking of 11.5 million legal documents from a Panamanian law firm that specialized in setting up offshore entities, represented an earthquake-sized wakeup call in the legal sector.